A brand of malware that has previously gone undetected is being used in targeted attacks against Linux systems.
According to researchers from cybersecurity firm ESET, the malware, named FontOnLake, appears to be well-designed and while under active development already includes remote access options, credential theft features, and is able to initialize proxy servers.
FontOnLake samples first appeared on VirusTotal in May 2020 but the command-and-control (C2) servers linked to these files are disabled, which the researchers say may be due to the uploads.
The researchers added that Linux systems targeted by the malware may be located in areas including Southeast Asia.
ESET believes the operators are “overly cautious” about being caught and their activities exposed as almost all samples obtained use different C2 server addresses and a variety of ports. Furthermore, the malware’s authors make use of C/C++ and a number of third-party libraries such as Boost and Protobuf.
FontOnLake is modular malware that harnesses custom binaries to infect a machine and to execute malicious code. While ESET is still investigating FontOnLake, the firm says that among its known components are trojanized apps which are used to load backdoors, rootkits, and to collect information.
“Patches of the applications are most likely applied on the source code level, which indicates that the applications must have been compiled and replaced the original ones,” the team says.
In total, three backdoors have also been connected to FontOnLake. The backdoors are all written in C++ and create a bridge to the same C2 for data exfiltration. In addition, they are able to issue “heartbeat” commands to keep this connection active.
FontOnLake is always joined with a kernel-mode rootkit to maintain persistence on an infected Linux machine. According to Avast, the rootkit is based on the open source Suterusu project.
Tencent and Lacework Labs have also published research on what appears to be the same strain of malware. ESET has also released a technical whitepaper (.PDF) examining FontOnLake.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0
